Having ‘the ear of the CEO’ is key to battling cyberthreats

Former FBI director stresses the importance of an enterprise-wide approach to cybersecurity, while Congress considers legislation to promote sharing threat information.

listening thinkstock


Show More

WASHINGTON -- When a cyberattack comes, organizations need to have in place a solid tech team that reaches to the highest levels of the enterprise, former FBI Director Robert Mueller cautioned at a recent government IT event.

The potential for hacks and data breaches amounts to "an existential threat to the corporation, and there needs to be someone in charge," Mueller says, "someone who has the ear of the CEO."

"One of the most important hires [an organization will make] is the CISO," Mueller says.

Mueller, the second-longest serving head of the FBI, now works in private practice, serving as a partner in the law firm WilmerHale, where his practice focuses on cybersecurity, privacy, investigations and crisis management.

And a major cyberattack, such as those recently visited upon Sony and Target, touches on all four of those areas.

The cyberattack threat landscape

The increase in the volume and sophistication of cyberattacks has been well documented, but Symantec, the host of the event where Mueller gave his keynote address, offers a fresh analysis of the threat landscape.

According to the firm's Internet Security Threat Report, 2014 was a record-setting year for zero-day activity, and companies were slow to respond. Symantec tallied 24 zero-day vulnerabilities last year, and determined that software firms responded by rolling out patches on average 59 days after the threats were discovered, up from just four days the previous year.

Symantec also observed an 8 percent increase in spear-phishing attacks last year, but noted that the perpetrators conducted those campaigns using 20 percent fewer emails than in 2013, indicating a higher level of precision with which those attacks were carried out.

At a time when vast stores of consumer data, intellectual property and other high-value assets are being housed in networked environments, a strong security operation that involves the whole of the enterprise is paramount.

"The stakes have never been higher," says Symantec President and CEO Michael Brown, who calls the steady march of high-profile breaches the "new normal."

"Cyberattackers are leapfrogging traditional defenses," Brown says, noting that the challenge is further compounded by the number of infiltrations and attacks that go undetected. When Symantec begins working with an organization to help respond to a cyber incident, company officials "find several others already in progress," according to Brown.

Mueller recalls efforts to increase cybersecurity awareness throughout the workforce during his time at the bureau, at times running counter to the hierarchical culture at the organization.

"I learned the lesson there in terms of delegation," he says. "At the bureau, to sit down with someone three or four levels below is anathema."

Many experts argue that that spirit of cooperation and coordination must extend beyond the enterprise to see rival companies and government agencies work more closely together on cyber issues.

A better system for sharing cyberthreat information

At a basic level, that would involve a more fluid system for sharing information about emerging cyberthreats. This week, the House is considering a pair of bills that would aim to break down some of the barriers for companies to share threat information, both of which have strong support from prominent tech and telecom trade groups, including the Information Technology Industry Council and NCTA, which represents the cable broadband sector.

On Tuesday, the White House issued statements supporting key tenets of both bills, but at the same time warned of what it calls overly broad liability protections that could amount to granting "immunity to a private company for failing to act on information it receives about the security of its networks."

Those and other issues have dogged past efforts to enact information-sharing legislation, though there is a broad agreement that the current legal environment is due for an update to encourage companies to talk to each other, and, perhaps just as importantly, to open the lines of communication between business and government.

"The private sector is the key partner in cyber," Mueller says.

This story, "Having ‘the ear of the CEO’ is key to battling cyberthreats" was originally published by CIO.


Copyright © 2015 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)